Bring your own discovery nightmare: Inside counsel in the BYOD era

You know that a trend is on the rise when it earns itself a catchy acronym, and you know that a rising trend is no longer just a trend when mainstream news channels pick it up. As early as March 2012, NBCnews.com reported that “’Bring your own device’ is a huge concern among IT professionals.” While most coverage of the BYOD revolution is understandably concerned with basic security, even a malware-proofed and securely pass-coded smartphone presents what should be an equally bone chilling threat to in-house counsel: the threat of discoverability. Each of your colleagues’ iPhones, iPads, Blackberries and Androids contains more legally relevant ESI than most of us have dared imagine. As arbiters of risk assessment and defenders of intellectual property, perhaps no other position faces as much potential harm from a haphazardly concocted BYOD policy as does the in-house counsel.

Let’s make this very clear: mobile devices are currently absolutely ubiquitous. In constant motion from “good morning” to “good night,” these tiny supercomputers track our lives from home to the office and back again. According to recent statistics from the Pew Internet Research Group, 87 percent of Americans have cell phones, 46 percent own smartphones and 31 percent own tablets, with many more intent on purchasing a tablet in the next year. In July 2011, forecasters predicted that smartphones would reach 1 billion in annual sales by 2016. By December 2012, that number had more than doubled to 2.2 billion.

Each of these devices holds a truly staggering amount and variety of data. Moreover, each of these devices is increasingly likely to hold data concerning not only personal affairs but also work-related data. The half-dazed person in the waiting room next to you, head-down and glued to her phone, is just as likely to be emailing her superior, subordinate or officemate about an ongoing project as she is to be texting a friend or reading the news. Your company, whose legal interests you were hired to protect, is both the site and subject of an inestimable and terrifyingly high number of highly sensitive and frequently impulsive communications every day. The proverbial water cooler is now a wireless network. The things your co-workers used to whisper to each other – the things you never wanted to overhear – about your products, your competitors and each other are now being repeated on their phones and tablets with emails, text messages and posts to social media platforms. Everything said is now in document-type form, and every relevant document can be discovered.

The rise of the BYOD workplace has had, of course, a number of unintended consequences. Perhaps the most impactful of these is the erasing of the work/home barrier. Naturally, this has had a theoretical boon on productivity. Certainly, many businesses have received more time out of their employees’ days than those employees were hired to give, and they have earned this boost with tools that the employees provided for themselves. What a deal, right?

Not exactly. When the company chooses not to control what tools its employees use to create, review and transfer information, that company has also chosen to cede control over what goes on (and comes off) those tools in the course of business. As a result, work-relevant data on Employee A’s iPhone may not be available via any other source of electronically stored information and, suddenly, A’s personal phone has become discoverable in his employer’s litigation. It is now more likely that smoking gun evidence will be found on a mobile device than in a desktop hard-drive. Through very public trial and error, the larger community of “knowledge workers” has learned that it is best to not use their “work machine” for private or potentially damaging activity. However, few of these individuals imagine that the phones they keep in their pockets or purses would ever be taken into custody.

This means two things for inside counsel. First, you must instruct your colleagues in the proper use and maintenance of the devices they bring to work and the information kept on them. Second, you must assume that they will not follow your advice and that neither will employees of your opposition. Ignoring either of these things could prove disastrous.

You simply must review and revise your company’s BYOD policy. It should provide adequate notice to new employees of the risks of conducting their business and their personal lives on the same device. It should define “intellectual property” and “trade secret.” It should, in effect, deliver one message to two audiences: It should alert the employee to the dangers inherent in BYOD and it should alert a hypothetical judge or jury in the future that your company did everything reasonably within its power to prevent misuse of the device and to protect its valuable intellectual property.

Also, you need a plan to include your employees’ mobile devices and the devices of your opposition’s employees in discovery processes. When you hire outside counsel to run your litigation, you must instruct them to aggressively seek out mobile data. You can stay ahead of this by including cell phones and tablets in the dragnet when preserving and collecting data internally in anticipation of litigation, and then, once the litigation begins, you have to subpoena and collect data from the other side. In order to do this, you will need to acquire the right technology. If you choose not to, you are essentially neglecting your duty to zealously and effectively provide your company with competent representation.

Fortunately, tools long used by law enforcement and forensic practitioners are available in more user-friendly forms to companies and legal teams dealing with collection from iPhones, Androids and Blackberries. Traditionally deployed in the field or in evidence labs, these tools have been scaled to work in the civil arena in consort with already existing review platforms. They have the ability to quickly and cleanly extract data long forgotten by their owner and to parse it into categories such as relevant/not-relevant, work/not-work, et cetera. They can acquire application data, telephone data, contacts, texts messages, images and much more. Moreover, they can do so in a forensically sound manner, without disturbing underlying metadata. In addition, these applications are increasingly intuitive and reasonably priced. It would, indeed, be wrong not to use them.

Your smartphone and the smartphones of everyone you care about and/or work with are subject to subpoena, discovery and increasingly powerful forensic analysis. Containing a rich variety of data and breeding the sort of informality that leads to case-cracking evidence, these devices are the next big source of discoverable data, and the attorney who ignores them does so at his or her certain peril. Conversely, the attorney who does not ignore them stands to gain a great advantage during discovery and peace of mind in the office – and possibly even a good night’s sleep.